Targeted attacks and advanced persistent threats (APTs) are rapidly becoming a new standard of cyber security threats – including centralized and targeted attacks intentionally designed to infiltrate enterprises and government agencies for the purpose of searching valuable information, trade secrets, and accessing to internal systems. Critical data leakages that happened to RSA, Citibank, and Global Payments have all been reported on the front page of newspapers in the past year, and according to a recent survey by ISACA, 21% of respondents admit that their enterprises are the victims of APTs and 63% thereof think it is only a matter of time before their enterprises are attacked.
ADVANCE PERSISTENT THREAT (APT) OVERVIEW
Steps of typical APT attacks
Nowadays, advanced attacks use a multistage approach to obtain valuable data, reach an entry point, download malwares, open backdoors, locate and invade target systems, and upload data.
While data invasion on a laptop can happen quickly, the time from initial intrusion to data invasion often takes days or weeks. The actual time to detect and completely destroy threats can take months. Throughout this process, an enterprise network is harboring an intruder with the aim of constantly invading valuable data.
APT and Targeted Attack Profile
Typical attack scenario model.
APT và các tấn công có chủ đích thường tuân theo một kịch bản nhiều bước sử dụng các thủ đoạn như:
APT and targeted attacks regularly follow a multi-step scenario using tricks like:
- Social – Identify targets and attack specific people with social engineering and advanced malwares
- Sophisticated – Detect security vulnerabilities, use backdoor controls, steal and use valid important information
- Stealthy – Performed in a series of low-level movements that cannot be detected by conventional security solutions, or drowned out among thousands of other event logs collected daily.
The attack starts with intelligence gathering to create and perform a social engineer attack with employees, then hack into the network, move silently within the organizations, and finally mine and send data to the outside – during that time, command & control communications and backdoor controls are performed via remote control.
Advanced Persistent Threats (APT) and targetted attacks have demonstrated their ability to avoid detection by traditional security defenses, be undetected for a long period of time, and intrude data of organizations and intellectual property. The severity of these attacks is determined by technological trends such as consumerization and cloud computing, which will expose the network to more attacks by reducing the role of perimeter protection. Analysts and experts have identified these issues and recommended that enterprises should develop their security systems to cover threat-specific detection technology and a proactive real-time threat management process.
ABOUT TREND MICRO DEEP DISCOVERY
Trend Micro Deep Discovery provides a general and insight view and control of the network that enterprises and government organizations need to reduce the risk of APTs and targeted attacks. Deep Discovery detects and identifies intrusion threats in real time and provides in-depth analysis and actions required to avoid, discover, and prevent attacks on enterprise data.
Deep Discovery’s proven methods deliver the best detection with minimal and extensive false positives and identification of content, communications, and malicious actions in all steps of an attack. While detecting and analyzing in depth both types of advanced malware and intrusions by attackers, Deep Discovery also offers enterprises and government organizations a new level of visibility and an intelligent solution to fight off APTs and targeted attacks on evolving computing environments.
Deep Discovery Inspector (DDI)
- Network traffic monitoring
- Detection of advanced threats
- Real-time analysis and reporting
DETECTS AND PROTECTS AGAINST
- APTs and targeted attacks
- Zero-day malware and document exploitation
- Network actions of attackers
- Web-based threats (mining, automatic downloads)
- Email threats (phishing, spear-phishing)
- Data exfiltration
- Bots, Trojans, Worms
- Key Loggers and Crime ware
- Disruptive apps
Deep Discovery Advisor (DDA)
Deep Discovery Advisor (DDA) has the power to perform analysis of suspicious samples by leveraging the heuristics analysis, providing Threat Intelligence analysis and reporting to realize comprehensive protection against botnets and other advanced malware threats, including Advanced Persistent Threats (APT).
Deep Discovery Advisor (DDA) can be integrated with Deep Discovery Inspector (DDI) and Interscan Messaging Security Virtual Appliance (IMSVA – Trend Micro Mail Gateway) to carry out unknown malware analysis using heuristics analysis and can provide real-time threat analysis and reporting. The built-in VMware Sandbox Analysis allows DDA to track and analyze suspicious actions and effectively detect malware or attacks such as C&C communications, social engineering attacks, and DDoS attacks.
- In-depth analysis and simulation of threats
- Customizable sandboxed execution environments
- Manual, automatic and open provision
- Can be integrated with DDI and IMSVA
Threat Intelligence Center
- In-depth analysis of events and incidents
- Deep Discovery Inspector (DDI) central reporting
Security Update Server
- IP/URL blacklist export
- (Future) custom signature update
Deep Discovery Analyzer (DDAN)
Deep Discovery Analyzer (DDAN) is a scalable sandbox server that provides On-Demand and On-Premise sandboxing services. DDAN helps to define multiple virtualization environments of custom sandbox that exactly match the desktop software configuration. It supports out-of-the-box integration with Trend Micro web and email security products as well as other DD platform products. An open Web service called API enables any product or is individually authorized to propose (submit) a sample and obtain a detailed analysis report.
Scalable sandboxing service
Ensures optimal performance with a scalable solution that keeps your system running smoothly with email, network, endpoint, or any source templates
Performs sandbox simulation and analysis in environments where it exactly matches the desktop software configuration, ensuring optimum detection and low error rate
Wide range of file analysis
Checks a wide range of files on Windows platform; executes on Microsoft Office, PDF, Web content, and certain types of archives using various types of detection and sandboxing tools
Detection by document exploitation
Detects malicious codes and exploits common office documents by using special detection and sandboxing mechanism
Performs page scanning and sandbox analysis of URLs where it is proposed (submitted) manually
Deliver full analytical results including detailed sample operations and C&C communications through central control panels and reports
Integrates with TrendMicro products
Enables Out-of-the-box integration with most TrendMicro email and web security products
Web API service and manual proposal (submission)
Allows any authorized product or threat researcher to propose (submit) a sample
Customizable defense integration
Shares new IOC Intelligence detection mechanism automatically with other TrendMicro solutions and third party security products
Deep Discovery Endpoint Sensor (DDES)
Deep Discovery Endpoint Sensor (DDES) is context-aware terminal security monitoring software that records and reports in detail system-level activities enabling threat analysis to quickly evaluate the nature and range of an attack. Endpoint Sensor uses IOC (Indicators of Compromise) information from Deep Discovery and various sources to perform multi-level search through user terminal and server to verify intrusion and explore the full context and duration of the attack.
Event recording of terminal range
- Endpoint Sensor uses a less critical workstation to record meaningful activities and communication events at the kernel level. It tracks these events in context over time and provides historical depth that it can be accessed in real time
Abundant search parameters
- Endpoint can be queried for specific media, specific malicious code, registration activity, account activity, specific running process and more. Search parameter can be a separate parameter like an Open IOC or YARA file
Centralized management of search and analysis
- Search can be performed directly from Endpoint Sensor Manager or from TrendMicro Control Manager so that you can instantly respond to attacks based on real-time IOC parameters and action data from other products
Results and analysis of multi-level context
- Interactive dashboards allow you to view and analyze system activities over time, assess the operating term of your enterprise, and export survey results.
On-site, remote, and cloud deployment
- Endpoint Sensor reports and records level-based specific activities of the system via servers, workstations, and Windows-based laptops and at any geographical location
Compatible with antivirus software
- Compatible with and coexists with any antivirus software for workstations/ servers
Investigates and responds to detection of threats to users and the network
– Step 1: Deep Discovery detects the activity of a malicious code or malware
– Step 2: Smart Deep Discovery Indicators of Compromise (IOC) is used as a search criterion
– Step 3: Endpoint Sensor investigates possible multi-levels
o Confirms and investigates intrusion alerts
o Scans Endpoints for the same IOCs
o Time/procress-based attack map
o Prevention and remediation planContact Us:
DL IT INVESTMENT CORPORATION
- Address: 152/32 Thanh Thai, Ward 12, District 10, HCMC
- Telephone: (84-28) 62650735 - Fax: (84-28) 62650734